ByISBuzz Team Writer , Information Security Buzz | Mar 10, 2021 06:17 am PST
It has been reported that the website of English Premier League football club West Ham Utd has leaked the personal details of the clubs’ supporters. The club website is showing several error messages including “Drupal already installed”. Experts commented below.
10 Responses
<p>Vulnerabilities leading to an error screen, leaked data, or supplying details from other system users may be a result of commonly occurring vulnerabilities in the application security domain. A well-known list of common issues can be found in the OWASP Top 10 list. Every application that moves into production should at least be checked for OWASP Top 10 issues as a baseline to avoid and/or mitigate the most common vulnerabilities. These are also crucial for organizations to ensure GDPR compliance. After all, ensuring the confidentiality and integrity of data is vital to protect personal data from exposure.</p>
<p>We all trust our digital experiences to be inherently secure. Whether it\’s a football club\’s website or a banking app, we trust the service provider to keep our data safe. Anyone who thinks their data could have been leaked should be particularly careful of mobile phishing attacks in the future that leverage the leaked data.</p>
<p>All organisations of all sizes and in all verticals need to foster a culture of cyber security so that all aspects of security and design are taken into account. The leak at West Ham Utd is likely down to an internal error or misconfiguration, which is an easy enough error to make. This is why it\’s important to have in place the proper security controls, particularly where customer data is concerned so that there can be assurance that the data is being handled correctly.</p>
<p>Football fans will remember that in July 2020, the theft of nearly £1m from a Premier League football club was narrowly avoided. Before that, in February 2020, a misconfigured application leaked information from the Brazilian ticketing company Futebol Card. The latest news about West Ham is hardly surprising. We will only see these headlines go away when all software deployments are done with security in mind. When organization of all types have a security-first mindset, we will no longer read sad stories about open databases or misconfigured applications. Problems will still happen, of course, but they will be less common. Let’s make life a little hard for the bad guys. Affected West Ham fans should be aware that their personal information might be available to bad people, and be skeptical of unsolicited calls and emails containing their information.</p>
<p>The potential ramifications for West Ham United from this incident could be extremely costly. Since the introduction of GDPR, we have seen individual organisations fined as much as £42 million, with an astonishing overall amount of £235 million issued thus far against 533 organisations. For the West Ham United fans potentially affected by this breach, while the club should contact you directly if your details have been exposed, be cautious and act as if your personal details have been breached until notified otherwise. Be alert to incoming texts, calls, and emails utilising the information shared in this incident from unknown sources demanding further personal information or payment. Also consider the password you utilise for this account, if this has been duplicated on other personal accounts, this should be changed promptly.</p>
<p>The website belonging to West Ham United seems to have suffered from a security issue that put their supporter data at risk. To prevent this from happening again, it is important to carry out security and user acceptance testing when websites are going live. To limit damage from the data leak, West Ham United fans who have accounts with the ticket site should start to pay close attention to their emails and watch out for phishing scams. It will be interesting to see how the ICO handles this security misconfiguration because putting sensitive data at risk is one of the biggest concerns within the GDPR.</p>
<p>The West Ham United site appeared to have been leaking confidential supporter information which could have put their data into the hands of criminals. Supporters are advised to avoid using the site until West Ham United clearly communicates that the problem has been fixed.</p>
<p>Attacks against football clubs are not new. We see the same characteristics in comparison to other data breaches and phishing campaigns. The right atmosphere for social engineering, high net value individuals, and a large net of people to target during an important event. During a transfer window last year, one premier football league manager narrowly escaping the loss of £1 million pounds as attackers targeted specific mail accounts. Ransomware targeting IoT devices nearly caused a match to be postponed, with a demand for 400 bitcoins by the attackers, and we’ve seen botnet DDoS attacks leveraging Android devices.</p> <p> </p> <p>Mobile devices in the hands of consumers represent a significant gap in security where the user is expected to be fully educated in recognising threats across a variety of attack vectors. It’s a given that a large proportion of BYO devices at a matchday event will have little or no security controls in place, out of date OS, free and third-party apps, and the majority will be connected to free WIFI with the ability to receive texts from the data harvested by the attackers.</p>
<p>The West Ham data leak will put club supporters at real risk of being targeted by the bad actors of the world with phishing attempts via email, text, and phone calls. Supporters will need to beware of any communications that appear to come from the club, as hackers will seek to extract more information (such as financial information) from the victims of the leak.</p>
<p>While the instability of the West Ham United website appears to be still ongoing it is likely that an investigation will be initiated in order to see whether personal data has been breached. This may just have been a few small isolated incidents, that impacted a minority of users. However, in case the breach affected a larger pool of users the club will presumably follow the usual protocols, and if there is a personal data breach the Information Commissioner’s Office (ICO) will be informed.</p> <p> </p> <p>Sports teams around the world, and particularly in the UK, are adapting to being targeted by cybercriminals due to their financial status. During the last few years, <a href=\"http://www.ncsc.gov.uk/\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=http://www.ncsc.gov.uk&source=gmail&ust=1615464248761000&usg=AFQjCNFxHObNswMl1TvB8ei7X2mTKSPWbg\">www.ncsc.gov.uk</a> has worked to increase the resilience of the sports industry in the UK. Their reports are a useful resource to help understand how sports clubs can better protect themselves from cyberattacks.</p>
10 Responses
<p>Vulnerabilities leading to an error screen, leaked data, or supplying details from other system users may be a result of commonly occurring vulnerabilities in the application security domain. A well-known list of common issues can be found in the OWASP Top 10 list. Every application that moves into production should at least be checked for OWASP Top 10 issues as a baseline to avoid and/or mitigate the most common vulnerabilities. These are also crucial for organizations to ensure GDPR compliance. After all, ensuring the confidentiality and integrity of data is vital to protect personal data from exposure.</p>
<p>We all trust our digital experiences to be inherently secure. Whether it\’s a football club\’s website or a banking app, we trust the service provider to keep our data safe. Anyone who thinks their data could have been leaked should be particularly careful of mobile phishing attacks in the future that leverage the leaked data.</p>
<p>All organisations of all sizes and in all verticals need to foster a culture of cyber security so that all aspects of security and design are taken into account. The leak at West Ham Utd is likely down to an internal error or misconfiguration, which is an easy enough error to make. This is why it\’s important to have in place the proper security controls, particularly where customer data is concerned so that there can be assurance that the data is being handled correctly.</p>
<p>Football fans will remember that in July 2020, the theft of nearly £1m from a Premier League football club was narrowly avoided. Before that, in February 2020, a misconfigured application leaked information from the Brazilian ticketing company Futebol Card. The latest news about West Ham is hardly surprising. We will only see these headlines go away when all software deployments are done with security in mind. When organization of all types have a security-first mindset, we will no longer read sad stories about open databases or misconfigured applications. Problems will still happen, of course, but they will be less common. Let’s make life a little hard for the bad guys. Affected West Ham fans should be aware that their personal information might be available to bad people, and be skeptical of unsolicited calls and emails containing their information.</p>
<p>The potential ramifications for West Ham United from this incident could be extremely costly. Since the introduction of GDPR, we have seen individual organisations fined as much as £42 million, with an astonishing overall amount of £235 million issued thus far against 533 organisations. For the West Ham United fans potentially affected by this breach, while the club should contact you directly if your details have been exposed, be cautious and act as if your personal details have been breached until notified otherwise. Be alert to incoming texts, calls, and emails utilising the information shared in this incident from unknown sources demanding further personal information or payment. Also consider the password you utilise for this account, if this has been duplicated on other personal accounts, this should be changed promptly.</p>
<p>The website belonging to West Ham United seems to have suffered from a security issue that put their supporter data at risk. To prevent this from happening again, it is important to carry out security and user acceptance testing when websites are going live. To limit damage from the data leak, West Ham United fans who have accounts with the ticket site should start to pay close attention to their emails and watch out for phishing scams. It will be interesting to see how the ICO handles this security misconfiguration because putting sensitive data at risk is one of the biggest concerns within the GDPR.</p>
<p>The West Ham United site appeared to have been leaking confidential supporter information which could have put their data into the hands of criminals. Supporters are advised to avoid using the site until West Ham United clearly communicates that the problem has been fixed.</p>
<p>Attacks against football clubs are not new. We see the same characteristics in comparison to other data breaches and phishing campaigns. The right atmosphere for social engineering, high net value individuals, and a large net of people to target during an important event. During a transfer window last year, one premier football league manager narrowly escaping the loss of £1 million pounds as attackers targeted specific mail accounts. Ransomware targeting IoT devices nearly caused a match to be postponed, with a demand for 400 bitcoins by the attackers, and we’ve seen botnet DDoS attacks leveraging Android devices.</p> <p> </p> <p>Mobile devices in the hands of consumers represent a significant gap in security where the user is expected to be fully educated in recognising threats across a variety of attack vectors. It’s a given that a large proportion of BYO devices at a matchday event will have little or no security controls in place, out of date OS, free and third-party apps, and the majority will be connected to free WIFI with the ability to receive texts from the data harvested by the attackers.</p>
<p>The West Ham data leak will put club supporters at real risk of being targeted by the bad actors of the world with phishing attempts via email, text, and phone calls. Supporters will need to beware of any communications that appear to come from the club, as hackers will seek to extract more information (such as financial information) from the victims of the leak.</p>
<p>While the instability of the West Ham United website appears to be still ongoing it is likely that an investigation will be initiated in order to see whether personal data has been breached. This may just have been a few small isolated incidents, that impacted a minority of users. However, in case the breach affected a larger pool of users the club will presumably follow the usual protocols, and if there is a personal data breach the Information Commissioner’s Office (ICO) will be informed.</p> <p> </p> <p>Sports teams around the world, and particularly in the UK, are adapting to being targeted by cybercriminals due to their financial status. During the last few years, <a href=\"http://www.ncsc.gov.uk/\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=http://www.ncsc.gov.uk&source=gmail&ust=1615464248761000&usg=AFQjCNFxHObNswMl1TvB8ei7X2mTKSPWbg\">www.ncsc.gov.uk</a> has worked to increase the resilience of the sports industry in the UK. Their reports are a useful resource to help understand how sports clubs can better protect themselves from cyberattacks.</p>